Several EXE files were installed on a production server. The AV did not detect them as viruses but we do not know what they do. We have copied them to a USB stick and deleted them and all references from production. How can we dissect the applications to see what they did or do?

Answer Wiki

There are a number of great Windows Sysinternals tools that will provide information about what files, registry keys and other objects processes have open, which DLLs they have loaded, and more and who owns each process – Process Explorer provides this information. You can get Process Explorer and other tools from the Microsoft Technet site: http://technet.microsoft.com/en-us/sysinternals/bb795535. Process Monitor will Monitor file system, Registry, process, thread and DLL activity in real-time. So you can find a spare machine or virtual machine and re-run the EXE files and use some of the above tools to monitor what those EXE are doing.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your response...

Discuss This Question: 4 &nbspReplies

There was an error processing your information. Please try again later.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

If you have nothing else, you can also open the .EXEs with Notepad and scan through it visually. Look for any names that you can read. The names may reference procedures and/or .DLLs that will give you some guidance. There can also be constants that sometimes give clues.
You don't have to execute the programs -- just look through them to see anything that catches your eye.
Tom

yes i have to agree with mortimer1 regarding using Process Monitor to dissec t application and re-run on spare machine for safeguard....
one suggestion if it requires...you can use Acronis 2010 True Image software which allows you to test run those applications that youve suspected...if applications seems to caused problem, acronis can disgard what was done and will not harm your system. a special feature called "try and decide"..

If you are going to run the program(s) on another machine, I would recommend installing some software firewall with outgoing connections monitoring capabilities that could inform if the application tries to connect to the outside.
You could also install some anti-spyware program which will inform if the application is trying to modify any system file.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

Ask a Question

Free Guide: Managing storage for virtual environments

Complete a brief survey to get a complimentary 70-page whitepaper featuring the best methods and solutions for your virtual environment, as well as hypervisor-specific management advice from TechTarget experts. Don’t miss out on this exclusive content!

To follow this tag...

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy